Solved

Upgrading DC from 2003 to 2008

Posted on 2010-11-18
9
456 Views
Last Modified: 2012-08-14
I am trying to upgrade my domain controller to Windows 2008 from Windows 2003. I stood up the new server and promoted it to a DC in the same domain and promoted it to a global catalog server. I also installed DNS and transferred the FSMO roles to the 2008 server. Everything seemed to be fine, Active Directory and DNS were replicating to the new server..
When I tried to demote the old server, I received a caution that there was no other Active Directory DC's in the forest. I then tried shutting off the old DC and all computers lost connection to the domain... I also noticed that when I bring up \\NEWDC my SYSVOL and NETLOGON shares are missing..
I have never had this problem on any other domain so I was hoping I could find answers here.. Any help would be greatly appreciated..
0
Comment
Question by:NavyIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
9 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 34169989
It sounds like the new server never fully replicated.
Can you run
"netdom /quest fsmo" to see what server holds the fsmo roles
then run dcdiag on both DCs and post the results.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34170010
you mistyped on the FSMO command Ken....I know what you meant though...and it happens to all of us

netdom /query fsmo
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34170022
sorry about that, thanks Mike
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 
LVL 78

Expert Comment

by:arnold
ID: 34170762
As others pointed out, if sysvol/netlogon are inaccessible, the replication did not complete.  Check to see whether there are errors that prevent the replication.
One the replication completes and it does not prevent the DC from serving the domain, you should make sure that the IP of the new DC is included in the DNS/Name server settings pushed from the DHCP.
0
 

Author Comment

by:NavyIT
ID: 34173371
The new DC holds the following FSMO roles: Schema Master, Domain naming master, PDC, RID pool manager, Infrastructure master

I had to sanitize the dcdiag b/c this DC is on a classified network..
Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC1
      Starting test: Connectivity
         ......................... DC1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC1
      Starting test: Advertising
         Warning: DsGetDcName returned information for
         \\DC.domain, when we were trying to reach DC1.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... DC1 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... DC1 passed test FrsEvent
      Starting test: DFSREvent
         ......................... DC1 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC1 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC1 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=(removed),DC=(removed),DC=(removed),DC=(removed),DC=(removed)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=(removed),DC=(removed),DC=(removed),DC=(removed),DC=(removed)
         ......................... DC1 failed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\DC1\netlogon)
         [DC1] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... DC1 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC1 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC1 passed test Replications
      Starting test: RidManager
         ......................... DC1 passed test RidManager
      Starting test: Services
         ......................... DC1 passed test Services
      Starting test: SystemLog
         An Warning Event occurred.  EventID: 0x80009008
            Time Generated: 11/19/2010   05:55:05
            Event String:
            No suitable default server credential exists on this system. This wi
ll prevent server applications that expect to make use of the system default cre
dentials from accepting SSL connections. An example of such an application is th
e directory server. Applications that manage their own credentials, such as the
internet information server, are not affected by this.
         An Warning Event occurred.  EventID: 0x8000A008
            Time Generated: 11/19/2010   06:09:07
            Event String:
            The Security System has received an authentication request that coul
d not be decoded. The request has failed.
         An Error Event occurred.  EventID: 0x80000017
            Time Generated: 11/19/2010   06:14:25
            Event String:
            The KDC received invalid messages of type changepassword.
         ......................... DC1 failed test SystemLog
      Starting test: VerifyReferences
         ......................... DC1 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : (Domain)
      Starting test: CheckSDRefDom
         ......................... (Domain) passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... (Domain) passed test CrossRefValidation

   Running enterprise tests on : (FQDN)
      Starting test: LocatorCheck
         ......................... (FQDN) passed test
         LocatorCheck
      Starting test: Intersite
         ......................... (FQDN) passed test
         Intersite
0
 
LVL 78

Expert Comment

by:arnold
ID: 34173750
Depending on what limitation and how much data needs to be replicated it seems it time should get the replication done.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23337964.html

The computer machine password does not match, you may need to make sure it is correct on the new DC
http://support.microsoft.com/kb/325850

It seems that you transferred the roles soon after the new DC joined the domain?
Not sure whether it would be better to transfer the roles back to the windows 2003 system and let the data replicate. (make sure you have a current system state backup.)

http://www.petri.co.il/forums/showthread.php?t=24776
0
 

Accepted Solution

by:
NavyIT earned 0 total points
ID: 34188611
Thank you for all your help. The problem turned out to be a registry setting..
I set Burflags in
HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
to D4; Reset the Netlogon and NTFRS services; and the NETLOGON and SYSVOL shares showed up..

AD is replicating and I have no errors..
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34824938
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question